Registry Items

Overview

Evidence: Registry Items Description: Enumerate Registry Items Category: System Platform: windows Short Name: rgstrpr Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): Yes

Background

Windows registry contains numerous locations where programs can register themselves to run automatically at system startup, user logon, or specific events. Attackers commonly abuse these registry keys to establish persistence.

The collector examines dozens of known autorun registry locations used by both legitimate software and malware for persistence.

Data Collected

This collector gathers structured data about registry items.

Registry Items Data

Collection Method

This collector:

• Loads autorun definitions from embedded JSON resource

• Searches for registry keys matching patterns

• Examines both 32-bit and 64-bit registry views

• Parses command lines to extract executables and arguments

• Resolves CLSID references to file paths

• Collects file information for all referenced executables

Common persistence locations include:

• HKLM/HKCU\Software\Microsoft\Windows\CurrentVersion\Run

• HKLM/HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

• Shell extensions and explorer add-ons

• Winlogon registry keys

• Active Setup entries

• And many other documented persistence locations

Forensic Value

Registry persistence enumeration is essential for detecting malware and unauthorized software. Investigators use this data to identify malicious autoruns, detect persistence mechanisms, track installed software that runs at startup, identify suspicious registry modifications, correlate persistence with malware execution, detect Living Off the Land binaries, and validate system baseline configurations.